Manage Service and Process Accounts

Security best practices and IT compliance mandates require that you regularly change the service and process account passwords on your network. These privileged accounts can be stored in services, tasks, COM applications, IIS, SharePoint, databases, and applications - and are found in all cross platform environments.

Because a single service or process account can be referenced in multiple subsystems and places, making a password change can potentially lock out the account and bring down the entire process if performed incorrectly. Service and process accounts passwords are incredibly difficult to change manually because first you have to identify everywhere the service account is in use (discovery), and then you must change the password everywhere it is in use (propagation). Enterprise Random Password Manager (ERPM takes care of this for you.

Continuous Auto-Discovery of Accounts Used by Windows Services

A unique capability of ERPM is the dynamic discovery of every location throughout the environment that an account is referenced by a Windows service, task, COM/DCOM object, or AT account. Discovering where service accounts are used is half the battle. You can’t change service account passwords if you don’t know where they are in use. ERPM dynamically discovers service account enumeration prior to changing service account passwords every time it executes a password change job.

In dynamic environments, with hundreds or thousands of service accounts, ERPM removes the need to dedicate massive amounts of time and resources to manually maintain a catalog of managed services.

Propagation of Privileged Account Credentials

Prior to changing service account passwords, since ERPM performs a fresh discovery to identify all current uses of the service accounts, ERPM can successfully propagate (distribute) the new credentials to all places where they are being used. The discovery will occur every time the password change job runs to ensure that the items being managed are always up-to-date.

This process ensures that credentials are secured and updated immediately after use. ERPM’s comprehensive accuracy and coverage greatly reduces the chance of account lockouts, system failures, and downtime caused when process accounts are not updated with the newly changed password.

Further, if dependencies are identified, they will be stopped (if running) in the proper order, the root service will be changed, then all services (that were running) will be restarted, again in the proper order.

This propagation of changed credentials is a complex and error prone process that requires proven, mature technology to accomplish successfully. Proven  by successful deployments on many of the world's largest and most complex networks, ERPM is the only solution that can reliably automate the discovery of service and process accounts and show you the interdependencies.

Propagation Settings

ERPM provides sophisticated off-the-shelf and customized propagation settings so that you can configure propagation steps that are appropriate for your environment. Simply specify what subsystems on which target computer(s) should be checked for needed updates when a service or process password change job runs.

Custom Propagation

With ERPM’s custom propagations, you can change service and process account passwords in applications, scripts, files, and everywhere the accounts are linked. Custom propagations can be deployed on Windows and in the cross platform environment to include Linux/Unix, Mainframe, Databases, and more. ERPM leverages the following methods for custom propagations:

String Replacements in Files – ERPM can manage both text based and binary (executable) type files. This action can be performed against either Windows or Linux/UNIX systems, and an unlimited number of files may be added to the target list and managed.

Arbitrary Processes – This allows a custom command line application to be run to update credentials, and the process can perform any action such as updating another program, process, file, location with new credentials, or running another program. Arbitrary Processes can also perform customized account enumerations.

Aggregation of Multiple Base Types – ERPM allows for a custom propagation to be defined that contains multiple steps where those steps must be taken in a particular order. A common use case includes resetting a COM object prior to running an arbitrary program, before resetting a service.

Local Cache for Java Client – The Java SDK provided with ERPM permits the local caching of managed passwords for use by scripts, applications, and other processes. The Local Cache for Java Client custom propagation examines the credentials stored in the Java Client SDK found previously installed on target system.

Accounts in .NET Config Files – ERPM examines the .NET configuration files made available through the default Microsoft .NET management API, and automatically includes native encryption found in .NET.

Services and Clustered Services – ERPM manages complex clustered services through Microsoft's cluster management API. ERPM examines all services via the Service Control Manager (SCM) and when services are found running as the target account, the dependencies are examined as is usage for clustering. If dependencies are identified, they are stopped (if running) in the proper order, the root service is changed, then all services that were running are restarted automatically to avoid lockouts.

Update Logon Cache – ERPM updates the Windows logon cache and places the target account into the logon cache of the system. With this propagation any services, tasks or other processes that rely on the target account will continue to run regardless of domain controller availability. This ensures things like backup jobs, AV updates and others can continue to run until the domain controller is back online for proper authentication.

Update Auto Logon Account – ERPM enumerates the credentials configured on Windows systems that attempt to automatically login; these accounts are typically found on point of sales systems, automated control machinery and kiosks. Auto Logon account configuration is stored in clear text in the registry of the system.

Windows Scheduler Task RunAs Identities - examines the credentials configured to run the various scheduled tasks on Windows systems.

Windows Scheduler AT Service Account - examines the credentials configured to run the scheduling system on Windows systems.

COM+ Application Identities - examines the credentials configured to run the various COM applications on Windows systems.

DCOM Object RunAs Identities - examines the credentials configured to run the various DCOM applications on Windows systems.

IIS6 Metabase Account Info - examines the credentials configured to run the various IIS 6 components on Windows systems. IIS 6 Metabase info checks for anonymous account configuration, and usage for application pools. When application pools are changed, they will also be restarted.

IIS7 Account Info - examines the credentials configured to run the various IIS 7 components on Windows systems. IIS 7 info checks for anonymous account configuration, and usage for application pools. When application pools are changed, they will also be restarted. This step also examines IIS 7.5 (Windows 7 and 2008 R2).

SCOM Run As Accounts - examines the credentials configured to run the Run As accounts configured within Microsoft System Center Operations Manager (SCOM) 2007 and later. This propagation will examine the Run As accounts via the WMI interface created by SCOM when SCOM is installed.

Credentials in SQL Server - examines the credentials configured for external connection in a Microsoft SQL Server instance. This propagation will examine and propagate to credentials under the credentials node in SQL Server Management Studio using OLEDB connections and calls.

Credentials in J2EE, Oracle/BEA WebLogic, IBM WebSphere and others – full auto-discovery, management and propagation.

Propagation Scope

ERPM provides propagation scope options to limit the propagation to only the system where the account exists, to propagate to all systems in a managed group, and for Windows systems to propagate to systems in trusting domains (including the local domain) which will examine all trust relationships to determine if the account is in use cross-domain, and further, to limit that propagation to only managed systems.

ERPM – The Only Automated Solution

Reliable service and process account management sets ERPM apart from other products on the market. ERPM reduces the amount of manual labor and will effectively discover and manage service and process accounts through its auto-discovery and built-in propagation capabilities. With ERPM, organizations can take a proactive, automated approach to managing service and process accounts, thus eliminating manual change control procedures.

Contact us to learn more about how Lieberman Software can help you secure your organization's privileged accounts.